Scribd Logo
Upload

Welcome to Scribd!

  • TI Alert - BlackCat - Ransomware - 2024-2-29 - 64857

    Uploaded by

    Saad Ur Rehman
    89 views4 pages
    The ALPHV Blackcat Ransomware 2.0 was updated by its administrators to provide affiliates with improved evasion and tooling capabilities. The ransomware can now encrypt virtual machines and devices running Windows and Linux. It deletes logs from domain controllers and exfiltrates data using file sharing services. Affiliates have reportedly used additional tools to escalate privileges and execute code remotely on vulnerable systems. Affected system types include Windows, VMware, and Linux. The alert provides numerous IP addresses, file hashes, and domain names associated with the ransomware for detection purposes.

    Original Description:

    Original Title

    TI Alert - BlackCat_ Ransomware - 2024-2-29 - 64857

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    The ALPHV Blackcat Ransomware 2.0 was updated by its administrators to provide affiliates with improved evasion and tooling capabilities. The ransomware can now encrypt virtual machines and devices running Windows and Linux. It deletes logs from domain controllers and exfiltrates data using file sharing services. Affiliates have reportedly used additional tools to escalate privileges and execute code remotely on vulnerable systems. Affected system types include Windows, VMware, and Linux. The alert provides numerous IP addresses, file hashes, and domain names associated with the ransomware for detection purposes.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    89 views4 pages

    TI Alert - BlackCat - Ransomware - 2024-2-29 - 64857

    Uploaded by

    Saad Ur Rehman
    The ALPHV Blackcat Ransomware 2.0 was updated by its administrators to provide affiliates with improved evasion and tooling capabilities. The ransomware can now encrypt virtual machines and devices running Windows and Linux. It deletes logs from domain controllers and exfiltrates data using file sharing services. Affiliates have reportedly used additional tools to escalate privileges and execute code remotely on vulnerable systems. Affected system types include Windows, VMware, and Linux. The alert provides numerous IP addresses, file hashes, and domain names associated with the ransomware for detection purposes.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 4

    Threat

    Intelligence

    Alert
    BlackCat: Ransomware

    The Most Dangerous And


    Sophisticated Threat Strains
    That Targets The Group's
    Infrastructure And Operations
    Threat Intelligence Alert - 64857

    The ALPHV Blackcat Ransomware 2.0 Sphynx update was released by ALPHV Blackcat
    administrators. It was rewritten to give affiliates more features like improved defense evasion
    and more tooling. This ALPHV Blackcat upgrade can encrypt virtual machines (VMWare
    instances) and Windows and Linux devices. ALPHV Blackcat affiliates are well-versed in
    ransomware and data extortion, and they have large networks. The logs on the exchange server
    are deleted after installation on the domain controller. Data about the victim is then downloaded,
    moved, and/or exfiltrated using Mega.nz or Dropbox. Following the deployment of the
    ransomware, a file.txt with the ransom letter is included. Affiliates have also reportedly
    terminated security processes using STONESTOP and POORTRY, according to public
    reporting.

    Privilege Escalation
    Remote Code Execution
    Information Theft
    Data Encryption
    Data Exfiltration
    Man-In-The-Middle
    Command And Control Vulnerable System

    Microsoft Windows
    VMware WorkStation System Software
    Linux Operating System

    SHA256 :

    c64300cf8bacc4e42e74715edf3f8c3287a780c9c0a38b0d9675d01e7e231f16

    1f5e4e2c78451623cfbf32cf517a92253b7abfe0243297c5ddf7dd1448e460d5

    3670dd4663adca40f168f3450fa9e7e84bc1a612d78830004020b73bd40fcd71
    Threat Intelligence Alert - 64857

    af28b78c64a9effe3de0e5ccc778527428953837948d913d64dbd0fa45942021

    bbfe7289de6ab1f374d0bcbeecf31cad2333b0928ea883ca13b9e733b58e27b1

    5d1df950b238825a36fa6204d1a2935a5fbcfe2a5991a7fc69c74f476df67905

    bd9edc3bf3d45e3cdf5236e8f8cd57a95ca3b41f61e4cd5c6c0404a83519058e

    732e24cb5d7ab558effc6dc88854f756016352c923ff5155dcb2eece35c19bc0

    SHA1 :

    d6d442e8b3b0aef856ac86391e4a57bcb93c19ad

    6b52543e4097f7c39cc913d55c0044fcf673f6fc

    004ba0454feb2c4033ff0bdb2ff67388af0c41b6

    430bd437162d4c60227288fa6a82cde8a5f87100

    380f941f8047904607210add4c6da2da8f8cd398

    1376ac8b5a126bb163423948bd1c7f861b4bfe32
    Threat Intelligence Alert - 64857

    MD5 :

    944153fb9692634d6c70899b83676575

    efc80697aa58ab03a10d02a8b00ee740

    c90abb4bbbfe7289de6ab1f374d0bcbe

    341d43d4d5c2e526cadd88ae8da70c1c

    34aac5719824e5f13b80d6fe23cbfa07

    eea9ab1f36394769d65909f6ae81834b

    379bf8c60b091974f856f08475a03b04

    824d0e31fd08220a25c06baee1044818

    ebca4398e949286cb7f7f6c68c28e838

    c04c386b945ccc04627d1a885b500edf

    Domains:

    fisa99[.]screenconnect[.]com

    resources[.]docusong[.]com

    IPV4 :

    91[.]92[.]254[.]193

    5[.]199[.]168[.]24

    Block all threat indicators at your respective control.

    Search for IOCs in your environment.

    You might also like